AWS S3 able to download some objects, but some other objects failed with 403 forbidden
Some objects failed to download with 403 Forbidden, and its content type is empty and it appears that it cannot retrieve anything from this object, seems like not found, but it exists in s3 aws console.
- Newest
- Most votes
- Most comments
Hello.
Is it possible to download it using AWS CLI instead of the management console?
aws s3 cp s3://file-name.txt ./
Also, are you specifying the content type when uploading the object?
Different objects can have a different ACL and or KMS key.
What IAM access do you have?
The access denied in your screen shot looks like you may be downloading the files using the https download link anonymously. For that to work you’d need public access enabled.
Hi Gary, thanks for your info. Currently we enabled s3 gateway endpoint, we are using it directly to download the s3 within the intranet, for some objects in the same bucket, same folder we have this issue, even we use aws s3 cp command, some objects responded: "fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden", but some other objects in same folder/same bucket can access with no issues. we have tried replace this object with same name and same content type then it can download , if we removed the latest version of this object, then it cannot download again.
Hi Gary, Currently our bucket policy are:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SSLOnly", "Effect": "Deny", "Principal": "", "Action": "s3:", "Resource": [ "arn:aws:s3:::{my_bucket}", "arn:aws:s3:::{my_bucket}/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Sid": "S16112775312312", "Effect": "Allow", "Principal": { "AWS": [
"arn:aws:iam::{my_account_id}:role/{my_iam_role}" ] }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::{my_bucket}", "arn:aws:s3:::{my_bucket}/*" ] } ]}
we have IAM role: "arn:aws:iam::{my_account_id}:role/{my_iam_role}"
the policy in this role specified "s3:*" to ALLOW
Yes, they having same ACL policy because they at same bucket, and ownership is same as same bucket level, we have tested upload same file type and exactly same file name under same folder & bucket , then it can download, then we enable versioning and remove the latest version just downloaded, then the old version cannot download again with same 403 Forbidden, and we tried edit meta data it shows:
What I am access do you have and what’s the bucket policy?
verified bucket ACL is correct and tried some other objects in the same bucket and same folder, its ok to download, only certain objects appears like 403 Forbidden
Relevant content
- asked a year ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Hi , yes, we have tried like "aws s3 cp s3://{bucket}/{folder}/{filename} .", but it shows "fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden", and the file exists, but when trying another file in the same bucket same folder, it able to download
Are there any differences other than content type between files that can be downloaded and files that cannot be downloaded? For example, is there any difference in the object owner, file size, file extension, etc.? https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-ownership-retrieving.html
Thank you for confirmation. There may have been some problem during upload. I cannot directly check your AWS account, so if you are subscribed to a paid AWS support plan, you may want to contact them there.